rlm_sql sql_escape_func

Hagen Münch hmuench at gordiancode.com
Tue Jan 8 17:51:01 CET 2019

Sure, but then e.g.
UPDATE users set username = '%{Stripped-User-Name}' is expanded to UPDATE users SET username = 'foo'bar', because the single quote is not escaped and the execution of the query will fail. The statement should rather be xlated to UPDATE users SET username = 'foo''bar'.

-----Original Message-----
From: Freeradius-Devel <freeradius-devel-bounces+hmuench=gordiancode.com at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Dienstag, 8. Januar 2019 15:41
To: FreeRadius developers mailing list <freeradius-devel at lists.freeradius.org>
Subject: Re: rlm_sql sql_escape_func

On Jan 8, 2019, at 9:32 AM, Hagen Münch <hmuench at gordiancode.com> wrote:
> I met the problem that if there are string values in a data base that contain single-quotes, the radius_axlat function expands a "foo'bar" to "foo27bar" by using the sql_escape_func of the rlm_sql module.

  That's what the SQL escape function does.

> I solved it by adding
> ...
> Do you think this approach is appropriate and would it be possible to add this single-quote escape case to the v3.x source? Thank you.

  It's not correct.

  You can set "sql_safe_characters" in the SQL configuration.  See raddb/mods-config/sql/main/*/queries.conf for more information.

  Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

More information about the Freeradius-Devel mailing list